08 December 2011

Security Not Often a Top Priority for Small Business

I recently found an article that outlined a study about cyber security and small businesses. In the study, by Newtek Business Services’ Small Business Authority, it was discovered that “just 27 percent of small business owners have had an outside party test their computer systems to ensure that they are hacker-proof…” I found this to be a relatively shocking number, but one that is believable in today’s tough economy. It would seem that most small organizations would be watching every penny and often during that type of number crunching, Information Technology and I.T. Security budgets are often the first to get cut. Security has always been one of those items that, to most organizations, has been a hard sell to upper management, particularly if that organization has never experienced any sort of security or data breach. Security budgets are often looked upon as, “Why are we spending so much money on something that may happen.” Until an organization is hit, it is often a tough sell for many to pass a decent security budget.

This same article also highlights a recent study by PwC that “found 43 percent of global companies think they have an effective information security strategy in place and are proactively executing their plans.” Another interesting finding in this report was the number of respondents that have “confidence” in their plans. “Seventy-two percent of the more than 9,600 security executives…report confidence in the effectiveness of their organization’s information security activities… (a number that) has declined markedly since 2006.” This figure, in my opinion, shows that even the large organizations, as much as they may feel prepared, really are not too confident in their security preparations.

Maybe their lack of confidence comes from the large number of data and security breaches that are reported every day. In addition to these breaches are numbers that are behind them. Another study from the Ponemon Institute, sponsored by Symantec, found “that the average cost of a data breach increased by seven percent to $7.2million in 2010-with the most expensive data breach jumping 15 percent over the previous high to a whopping $35.3 million.” In addition, the study calculated that “the average data breach cost per individual compromised record is $214.” This is a staggering figure when you look at many of the breaches that have been reported, in most there are hundreds of thousand s of records lost each time. Multiply these numbers by $214 and the fines and associated fees per breach will climb quickly.

With these numbers in mind, this goes back to my original point, that only 27 percent of small business owners value security enough to have an outside company come in a test their security. Taking into account that many small organizations may not have the capital available for such security or “penetration” tests, it also begs the question, “Will they have enough capital to cover the fines and other fees associated with a data breach ($7.2million in 2010)?”

About the (ISC)² Blog

As the certifying body for more than 125,000 cyber, information, software and infrastructure security professionals worldwide, (ISC)² believes in the importance of open dialogue and collaboration. (ISC)² established this blog to provide a voice to certified members, who have significant knowledge and valuable insights that can benefit other security professionals and the public at large.

The (ISC)² blog gives members a forum to exchange ideas and inspires a safe and secure cyber world by supporting the advancement of the information security workforce via a public exchange with a broad range of information security topics.

Whether an (ISC)² member chooses to participate in the (ISC)² blog is his or her own decision. The postings on this site are the author's own and don't necessarily represent (ISC)²'s positions, strategies or opinions. (ISC)² monitors the blog in accordance with the (ISC)² Blog Guidelines, but the bloggers are responsible for their own content – common sense and intelligence should prevail.

Other than links to the (ISC)² website, (ISC)² does not control or endorse any links to products or services provided in this blog and makes no warranty regarding the content on any other linked website.

Those who post comments to (ISC)² blogs should ensure their comments are focused on relevant topics that relate to the specific blog being discussed. (ISC)² reserves the right to remove any post or comment from this site. Should you find objectionable content in this blog, please notify us as soon as possible at blog@isc2.org